Closed Sp1l closed 7 months ago
Timshel
commented
8 months ago Hey,
It's a bit hidden in the comments on the PR but if present the preferred_username is used (it's in the spec too).
Will add it to the doc somewhere.
Alternatively using name has been mentioned but I didn't want to have to handle localization.
Sp1l
commented
8 months ago Hi,
Thanks. Found the reference to preferred_username here https://github.com/Timshel/vaultwarden/blob/main/src/sso.rs#L418
What I'm after is when an SSO login triggers a new account creation, that the new user's "Name" as shown in "My account" in web-vault is populated with the given_name and family_name from the Claim. Looking at the openidconnect docs these are available in some way as EndUserGivenName and EndUserFamilyName structs.
Timshel
commented
8 months ago You should be able to configure how the preferred_username is constructed in your sso configuration.
This way you can set the combination of given_name and family_name you want, it will then be picked-up on account creation (It won't be updated later-on).
Sp1l
commented
7 months ago Found reference in EntraID docs.
preferred_username: Provides the preferred username claim within v1 tokens. This claim makes it easier for apps to provide username hints and show human readable display names, regardless of their token type. It's recommended that you use this optional claim instead of using, upn or unique_name.
I was mistaken in thinking this would be what the user-id becomes. So learned something new today!
Fresh logins with EntraID result in the username being equal to the email-address (UserPrincipalName) in the newly created Vaultwarden account.
OIDC spec returns
given_nameandfamily_nameby default. Would be great if the standard claims can be used to populate (or even force overwrite, perhaps with a flag) the values in the user's profile.